FD Logo
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Forensic Discoveries Newsletter

June 2010
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Welcome to Forensic Discoveries' eDiscovery and Digital Forensics Newsletter. Keeping you and your practice informed of the ever-changing realm and value of Electronic Discovery and Digital Forensics is the purpose of this newsletter. If you have a colleague that may be interested in subscribing, follow the instructions at the bottom of this newsletter to be added to the distribution. If you choose not to continue receiving this newsletter, follow the directions at the bottom of this newsletter and accept our apologies for intruding.
in this issue
A Shift in eDiscovery
Show No Fear...Lawyers need to..
Data Redaction: You're Doing it Wrong
Avoiding ethical pitfalls with electronic documents
New Website...
EDiscovery Case Law
Previous Newsletters
 
Although it has been a while, we hope you enjoyed our last newsletter. Due to a steady increase in new subscribers, Forensics Discoveries will continue to list previous newsletters. As others have done, please let us know of a specific topic you would like to see covered.

We have added a new newsletter archive section to our website. The improved archive interface provides the same interaction with the newsletter as the distributed newsletter. View the new newsletter archive here.

 Below is a review of our previous newsletters:
 

August 2007 - "What is Computer Forensics?"

September 2007 - "Preparing Your Clients for EDiscovery - Part 1"
October 2007 - "Preparing Your Clients for EDiscovery - Part 2"
November 2007 - "Preparing for Your Clients' EDiscovery"
December 2007 - "Why Does My Case Need Electronic Discovery?"
February 2008 - "Computer Forensics Proves Intelletual Property Theft"
March 2008 - "In Search of the Holy Grail"
May 2008 - "When to Preserve"
June 2008 - "Electronic Discovery in Workplace Litigation"
July 2008 - "Proving Spoliation with Computer Forensics"
August 2008 - "Proposed Updated TN Rules of Civil Procedure"
A Shift in eDiscovery


When I began speaking and writing on eDiscovery, I often stated that computers and e-mail were the primary forms of communications in our society.  Now I am beginning to question the accuracy of that statement, because mobile phones and SMS text messages are a close rival.

The mobile technologies now available are replacing many computers. In fact, 81% of business executives are connected to work through mobile devices. In addition, there are 3.5 million SMS text messages sent every day in America alone. But while mobile devices potentially provide a wealth of information for your case, they can also provide a new set of challenges.

The information available on mobile devices (cell phones and smartphones) varies greatly depending on the sophistication of the phone. Today's basic mobile phones usually contain call histories, SMS text messages, address books, pictures, and videos. But more advanced mobile devices such as Blackberries, iPhones, and the new Android phones can rival computers with the amount of potentially valuable information available.

Advanced mobile devices, in addition to basic information, may contain call durations, e-mail, calendars, memos, word documents, spreadsheets, presentations, PDFs, and Internet usage histories. Plus, with the ability to install additional applications, these advanced devices may also provide GPS location histories and a wealth of additional information depending on the applications installed. One artifact of valuable information available from iPhones can be found within the metadata of the pictures taken: the exact latitude and longitude of the location where the picture was taken.

So there's a potential goldmine in a technology that 91% of our population uses -- but there are also serious technical challenges in mining that gold. As the technology of mobile devices has evolved to an impressive level of sophistication, one important technological pillar has been overlooked: standardization.

With computers, various technological standards apply to hardware and software, and digital forensics depends on those standards for consistency. Mobile devices are more like the Wild West: each provider, and each phone from each provider, can vary drastically. This lack of standardization can make it difficult to obtain needed information. For example, information from password protected Blackberries cannot be obtained unless the password is reset by the business entity that issued the phone to the employee.

Another drastic difference between mobile phones and computers is deleted information. In speaking engagements, I often joke that "the delete key just entertains you" when referencing computers. However with mobile phones, the delete option is serious business. For technical architecture reasons that are beyond the scope of this article, deleted information is difficult to obtain from mobile phones. (The one exception is the iPhone, which is essentially a scaled down version of an Apple computer, but even then recovering deleted information is no picnic.) 

To prevent high expectations of recovering deleted information from mobile devices, I emphasize as clearly as possible that recovering usable deleted information from mobile phones is unlikely. Digital investigators are successful in recovering deleted information from phones on occasion, but that result is not typical.

You could try to obtain information that has been deleted from the mobile phone by subpoenaing the wireless carrier. But this will also likely be unsuccessful at least with regard to SMS text messages, an information set that is often the most prized. For various reasons, wireless providers have implemented short retention policies for this information. My experience, and that of my colleagues, indicates that SMS text messages will not be available long enough to obtain the information via civil subpoena. With some phones, text messages are deleted almost immediately upon delivery; with others, the messages last up to three days after delivery.

The good news is, the sending and receiving numbers of the SMS text message, along with call histories, will be retained for billing purposes for up to six months in some instances. There are a few other options depending on the model and usage of the phone, but the simplest is to realize that the message at one time existed on two phones: the sending phone and the receiving phone. Where possible, try to obtain the information from the other location.

Another option arises because more advanced mobile devices often "sync" with a computer. In such cases, it is possible that the computer with which the mobile device was synced will have historical information.  A final option is for advanced mobile devices that are issued by the owning company, mainly Blackberries. Many companies maintain a server that communicates to and from the Blackberry devices called a BES server. In some companies, these servers have backups that may contain the information you're interested in.

Mobile devices are the technology of choice for business communications and have likely surpassed computers for personal communications. The statistic that 91% of our population uses them may be hard to believe, but think about what you can observe in our culture on your own: phones in use in offices, restaurants, movie theatres, and by the driver beside you on the interstate. Moreover, actual phone calls are less than half of the usage of many  mobile phones. For "crackberry" users like me, information resides on my phone that I have forgotten is there, and it is unavailable anywhere else.

This source of information should not be ignored in electronic discovery and digital forensics. While the likelihood of being able to recover deleted information from most mobile devices is low, my best advice is to preserve the devices and collect information as soon as possible to prevent destruction or loss.

 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Show No Fear

Lawyers need to - and can - learn the language of e-discovery

Craig Ball has written another fantastic eDiscovery article for Law Technology News.

How many times have you heard a lawyer tell a court that he or she doesn't "understand computer stuff"? Can you imagine a lawyer confiding that he or she doesn't "understand document stuff"? The single greatest problem posed by electronically stored information isn't its volume or complexity. It's the reluctance of lawyers to exert the time and effort required to understand it... Read the entire article here.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Data Redaction: You're Doing it Wrong

Embedded metadata and redaction errors can be a nightmare for litigation professionals. During speaking engagements, I often demonstrate a real-world example of sensitive information that can be disclosed in embedded metadata. I will now give you an opportunity to demonstrate a devastating redaction error pertaining to a subpoena for President Obama in the Rod Blagojevich case. Go to this link and follow the simple instructions for viewing the redacted information.

Avoiding ethical pitfalls with electronic documents: Part 1 - Metadata


Metadata is a term that is appearing more frequently in legal circles. Since August 2006, several bar associations have issued formal ethics opinions addressing the ethical implications of the disclosure of information via metadata. Given the ubiquitous manner in which attorneys regularly exchange documents, the ethics involved in metadata is a topic that will likely rise with even greater frequency in the near future. Read the entire article here.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

New Website

As many of you are aware, Forensic Discoveries was acquired by Sword & Shield Enterprise Security, Inc in December of 2008. A few months ago, a lot of hard working people redesigned our entire website. The entire new website can be found here and the new Forensic Discoveries components can be found here. For those of you that have bookmarked the Forensic Discoveries website, all addresses remain valid. With the new website design, the Forensic Discoveries logo has also been redesigned and is being used in this newsletter.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
EDiscovery Case Law

 -----------------------------------------------------------------------------------------------------
Court Orders Monetary Sanctions for Production Delay Resulting from Counsel's Failure to Become Familiar with Plaintiff's Retention Policies and Systems


In re A & M Fla. Props. II, LLC, 2010 WL 1418861 (Bankr. S.D.N.Y. Apr. 7, 2010)

Where plaintiff's counsel "failed in his obligation to locate and produce all relevant documents in a timely manner" by failing to gain a sufficient understanding of plaintiff's computer systems resulting in significantly delayed production of relevant documents, the court declined to impose terminating sanctions or an adverse inference but ordered monetary sanctions against plaintiff and counsel in an amount to be determined. Continue reading here.

-----------------------------------------------------------------------------------------------------
Court Rules Failure to Copy Files on Flash Drive Prior to Failure of the drive Violated Duty to Preserve

Wilson v. Thorn Energy, LLC, 2010 WL 1712236 (S.D.N.Y. Mar. 15, 2010)

In this case, the court ordered sanctions for defendants' failure to preserve relevant data where defendants failed to back up a flash drive containing all relevant financial records and where that data was lost as the result of the flash drive's failure. Read more here.

-----------------------------------------------------------------------------------------------------
Court Orders Forensic Examination of Plaintiff's Computers Absent Denial that "Responsive Emails May have Existed at One Point

Adhi v. Twp. of W. Pikeland, 2010 WL 1047894 (E.D. Pa. Mar. 16, 2010)

In this zoning dispute, defendant moved to enforce a prior order of the court and, essentially, compel more complete responses to discovery, including the production of electronically stored information ("ESI"), specifically emails.  Plaintiff indicated that even if responsive emails had existed, they were deleted in the ordinary course of business.  Accepting defendant's assertions that "the mere deletion of an email does not make it lost forever", however, the court ordered plaintiff to allow defendant's "e-Discovery expert" to inspect plaintiff's computers to determine if any responsive information was still contained on the hard drives or the servers.  In so ordering, the court reasoned that this would "allow Defendant to conduct discovery on information to which it is entitled without burdening Plaintiff with the expense of hiring a discovery expert." Read more here.

-----------------------------------------------------------------------------------------------------
Court Orders Monetary Fine for Gross Negligence and Intentional Spoliation of ESI, Including Emails, Text-Message, and Skype Messages

Passlogix, Inc. v. 2FA Tech., LLC, 2010 WL 1702216 (S.D.N.Y. Apr. 27, 2010)

Upon finding that defendants spoliated relevant information, including emails, Skype messages, and computer logs, the court declined to order an adverse inference, to preclude defendants from the presentation of arguments implicating the discarded documents, or to order defendants to pay plaintiff's costs, but ordered monetary sanctions in the amount of $10,000, after balancing "2FA's litigation conduct with its status as a small corporation." Read more here.

-----------------------------------------------------------------------------------------------------
Court Order Provides Students, Parent Opportunity to View Images Captured by School-Issued Laptops


For anyone who hasn't heard, a school district in Pennsylvania has recently come under fire for using the webcams on school-issued laptops to capture images of students both during and outside of school hours - about 56,000 of them, according to reports.  According to the complaint filed in this case, students and parents were not informed of the school's ability to use the webcams.  In at least one instance, a student was called to the assistant principal's office to discuss an image captured by the webcam on his laptop.  His family has now sued the district and hopes that other students will join them.  According to the school district, the webcams were intended for tracking lost or stolen computers. Read more here.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Forensic Discoveries is available to provide onsite presentations or Q&A sessions on topics such as Electronic Discovery, Technical Implications of the updated Federal Rules of Civil Procedure, or Computer Forensics. Forensic Discoveries is also available to you, obligation free, to answer any specific questions pertaining to these topics. Simply give us a call and we will be glad to answer any questions pertaining to Electronic Discovery and Digital Forensics.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

a division of Sword & Shield

   Knoxville Office

   Phone:    (865)-244-3500

   Address:  1431 Centerpoint Blvd, Suite 150

                  Knoxville, TN 37932


   Washington D.C. Office

   Phone:    (410)-414-5580

   Address:  1425 K Street NW, Suite 350

                 Washington, DC 20005-3514


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

If you have a topic that you would like addressed in the newsletter, please let us know. Either visit http://www.forensicdiscoveries.com/newsletter.html and submit your suggestion there or reply to this e-mail with your suggestion. 

For previous versions of Forensic Discoveries EDiscovery newsletters, click here 

This document does not provide legal or other professional advice and should not be relied upon as anything other than a starting point for research and information on the subject of electronic evidence and digital forensics.